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The notion of quiescence — the absence of outputs — is vital in both behavioural modelling and 
testing theory. Although the need for quiescence was already recognised in the 90s, it has only 
been treated as a second-class citizen thus far. This paper moves quiescence into the foreground and 
introduces the notion of quiescent transition systems (QTSs): an extension of regular input-output 
transition systems (lOTSs) in which quiescence is represented explicitly, via quiescent transitions. 
Four carefully crafted iTiles on the use of quiescent transitions ensure that our QTSs naturally capture 
quiescent behaviour. 

We present the building blocks for a comprehensive theory on QTSs supporting parallel compo- 
sition, action hiding and determinisation. In particular, we prove that these operations preserve all 
the aforementioned rules. Additionally, we provide a way to transform existing lOTSs into QTSs, 
allowing even lOTSs as input that already contain some quiescent transitions. As an important ap- 
plication, we show how our QTS framework simplifies the fundamental model-based testing theory 
formalised around ioco. 

1 Introduction 

Quiescence is a fundamental concept in modelling system behaviour. It explicitly represents the fact 
that, in certain system states, no output is provided. The absence of outputs is often essential: an ATM, 
for instance, should deliver the requested amount of money only once, not twice (see Figure [TJ. This 
means that the ATM's state just after paying out money (sq in Figure [T]) should be quiescent: it should 
not produce any output until further input is given. On the other hand, the state before paying out 
(s3 in Figure[T]) should clearly not be quiescent. Hence, quiescence can also sometimes be considered as 
erroneous behaviour. 

Thus, the notion of quiescence is essential in testing: if a system under test (SUT) does not provide 
any output, then the test evaluation algorithm must decide whether to produce a pass verdict (allowing 
quiescence at this point) or a fail verdict (forbidding quiescence at this point). 

Origins. The notion of quiescence was first introduced by Vaandrager in fT45 to obtain a natural ex- 
tension of the notion of a terminal or blocking state: if a system is input-enabled (i.e., always ready to 
receive inputs), then no states are blocking, since each state has outgoing input transitions. However, 
quiescence can still be used to denote the fact that a state would be blocking when considering only the 
output actions. Quiescence is explored further in ||6j|71. 

Tretmans introduced the notion of repetitive quiescence lITTl [T2]| . which emerged from the need to 
continue testing, even in a quiescent state: in the ATM example above, we need to test further behaviour 
that arises from the (quiescent) state after providing money. To accommodate these needs, Tretmans 
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Figure 1: A very basic ATM. 



introduced the suspension automaton as an auxiliary concept. More recent uses of quiescence include lUl, 
applying it in the context of machine learning. 

Example 1.1. Consider the automaton given in Figure [T] The states sq and s\ are quiescent, since they 
do not have any outgoing output transitions. To obtain the suspension automaton corresponding to such 
a system, Tretmans adds self-loops, labelled with the quiescence label 5, to each quiescent state. □ 

Limitations of current treatments. While the papers above all convincingly argued the need for qui- 
escence, none of them presents a comprehensive theory of quiescence. Firstly, quiescence is not treated 
as a first-class citizen: although the suspension automaton is used during testing, it is not defined as an 
entity in itself. Therefore, quiescence cannot be used to specify systems, and neither is it clear what 
properties a suspension automaton satisfies or should satisfy. Since conformance relations such as ioco 
are defined based on 'suspension traces', which are the traces of a suspension automaton, it seems much 
more appealing to directly start from these suspension automata and base the whole theory on them. 

Secondly, basic operators like parallel composition and hiding were only defined for input-output 
transition systems, but have not been studied for suspension automata at all. Therefore, it was still an 
open question to what extent these operators could be lifted to the setting of quiescence. 

Our approach. The current paper remediates the shortcomings of previous work and presents a com- 
prehensive theory for quiescence, by introducing quiescent transition systems (QTSs). These are input- 
output transition systems in which quiescence can be represented explicitly by 5-transitions, and form 
a fully-formalised alternative to Tretmans' suspension automata. Whereas suspension automata are al- 
ways constructed by adding (^-transitions to existing LTSs and subsequently determinising flSl, QTSs 
are defined in a precise manner as a stand-alone entity, can be built from scratch and need not necessarily 
be deterministic. 

As a first step, we handle QTSs that are input-enabled (never reject an input) and most importantly 
convergent (free of infinite sequences of internal transitions), since the interplay between quiescence and 
infinite sequences of internal transitions is delicate. Hence, we first focus on the basics. Relaxing these 
restrictions is an important direction for future work. 

Starting point in our theory is the observation that, when treating quiescence as a first-class citizen, 
restrictions need to be put in place. For instance, it should never be the case that a 5-transition is fol- 
lowed by an output, as this would contradict the meaning of quiescence. As another example, as argued 
elaborately in Section [3] we do not allow a 5-transition to enable additional behaviour; after all, it would 
not make much sense if our observation of the absence of outputs impacts the system. In this paper we 
present and discuss four such rules, that restrict the domain of all possible QTSs to a sensible subclass. 

We define three well-known automata-theoretical operations on QTSs: parallel composition, hiding 
and determinisation. These operations are very important, as they allow a modular approach to system 
specification. Additionally, we explain how to obtain a QTS from an lOTS by a process called deltafi- 
cation. We define this process in a liberal way, supporting also the construction of a QTS from an lOTS 
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that already has some (5-transitions in place. We show that our four requirements on QTSs, which are a 
key contribution of this paper, are preserved by all of these operations. 

This novel theory of QTSs simplifies the theory of model-based testing. Hence, we conclude this 
paper by showing how QTSs can be used to define the conformance relation ioco, and aid in test case 
generation and evaluation. 

Overview of the paper. First, we present some preliminaries on input-output transition systems in 
Section|2] Then, Section[3]introduces the QTS model and its operations, as well as a variety of important 
(closure) properties. Section|4]explains how to construct QTSs based on lOTSs, and Section [5]discusses 
the application of QTSs to test theory. Finally, conclusions and future work are presented in Section [6] 

Due to space limitations, we refer to [8] for detailed proofs of all our lemmas, propositions and 
theorems. 

2 Background 

2.1 Preliminaries 

Given a set L, we denote by L* the set of all sequences over L. Given a sequence a = aia2 ■ ■ ■ an, we 
define the length of a, denoted |(7|, as n. The empty sequence is denoted by e. 

Given two sequences p = a\a2. ■ .an ^ L* and v = b\b2 ■ ■ - hk & L*, we define the concatenation of 
p and V, denoted p + v or pv, as aia2 . . . an^i^2 • • • bk- The sequence p is a prefix of v, denoted p E f, if 
there is a p' G L* such that pp' = v; if p' ^ e, then p is a proper prefix of v, denoted pHv. 

Given a set S C L* , a sequence a G 5" is called maximal with respect to C if there does not exist a 
sequence p G 5 such that a n p. Clearly, such a maximal sequence always exists. 

We use p{L) to denote the power set of L, i.e., p{L) is the set of all subsets of L, including the 
empty set and L itself. 

2.2 Input-Output Transition Systems 

Before we introduce Input-Output Transition Systems, we first describe the modelling formalism they 
are based on: Labelled Transition Systems. 

Definition 2.1 (Labelled Transition Systems). A Labelled Transition System (LTS) is a quadruple 

^=(5,S°,L,^), such that: 

• S" is a (possibly uncountable) set of states; 

• 5" C S is a non-empty set of initial states; 

• L is a set of labels, each representing a different action. We take r ^ L to stand for an internal 
(unobservable) action and define U = LU {r}; 

• — )• CSxL^xS'is the transition relation. We use s s' to denote (s, a, s') G — )• , write s if 
there is an s' G 5 such that s s' , and s if this is not the case. If s we say that the action a 
is enabled in state s. 

We use Sj^, 5^, L_4 and — )>_4 to denote the components of an LTS A. These subscripts are left out 
when it is clear from the context which LTS is referred to. 

Example 2.2. Figure [2]; a) shows an LTS A. □ 
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(a) A (b) B (c) det{B) 



Figure 2: Visual representation of the LTS A and tlie lOTSs B and det{B). We represent states by circles, 
and transitions by arrows; each arrow in turn is labelled with the associated action for that particular 
transition. The initial state is marked by an arrow without a source state. Frow now on, we typically will 
not label individual states. 



Often, in particular in the context of testing, it is desirable to be able to distinguish between actions 
that are initiated by the environment (inputs), and actions that are initiated by the system itself (outputs). 
To this end, we introduce Input-Output Transition Systems, which are an extension of regular LTSs. 

Definition 2.3 (Input-Output Transition Systems). An Input-Output Transition System (lOTS) is a quin- 
tuple A = {S,S^ ,L},L^ ,^), where L} is a set of input labels and a set of output labels such that 
n L° = 0. We define L = U L° and = L U { r }, where t(^L. S, 5° and are as defined for 
LTSs. Additionally, lOTSs must be input-enabled, i.e., s -2^ for all s G 5, a G L^. 

Remark 2.4. Throughout this article we sometimes suffix a question mark (?) to the input labels and an 
exclamation mark (!) to the output labels, to help differentiating the two types. These are, however, not 
part of the label. 

Note that lOTSs are similar to I/O automata (SI Ul, except that the latter allow multiple internal 
actions, rather than r only. All our results can easily be phrased in the I/O automata framework. 

By requiring lOTSs to be input-enabled, any input initiated by the environment is never refused by 



the system. For deterministic systems (see Definition 2.7 1, this restriction can easily be lifted by adding 
a sink state which has self-loops for all possible actions, and adding transitions for the missing inputs 
to that sink state (so-called demonic completion H [151). For nondeterministic systems, a solution is 
provided in 1 3 1 . 

Example 2.5. Figure |2]^b) shows an lOTS B. Note that since L} = {a} and s -2> for every s ^ S, B 
input-enabled. □ 

We introduce the standard language-theoretic concepts for lOTSs. 
Definition 2.6 (Notations). Let ^ = ( S", 5°, L^, ) be an lOTS, then: 

• A path in ^ is a (possibly infinite) sequence vr = sqOiSi • • • Sn such that for all 1 < i < n we have 
Si-\ Si with ai G L"^. The set of all paths in A is denoted paths{A). 

• The path operators ^zr^f and last yield the first and last state of a finite path, respectively, e.g., for 
vr = soaiSia2S2 we Yi&ve first{T:) = so and last^n) = sx- A path vr is called initial if first{-K) G S^. 

• The path operator trace yields the sequence of actions that is obtained by erasing all states and 
r-actions from a given path, e.g., for vr = soaiSirs2a2S3 we have trace{'K) = 0102; we call such a 
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I I I y\ 

ay'^. ay'^ ay'^^. ^-^i 

• • • 

(a) A (b) B (c) C (d) V 

Figure 3: One deterministic (A) and three nondeterministic {B, C, V) lOTSs. The lOTS V is divergent. 

sequence of actions a trace of A. The length of a trace a = 0102 . . . an, denoted \a\, is the length 
of the corresponding sequence, i.e., |cj| = \a\a2- ■ ■an\ =n. 

• Given an action a and a set of actions P, we denote by a f P the projection of a on P, i.e., a f P = a 
if a G P, and a \ P = e otherwise. The projection of a trace a = aa' on a set of actions P follows 
naturally from this: a \ P = aa' \ P = a\ P + a'\P. Finally, the projection of a set of traces T 
on a set of actions P is defined asT \ P = {a \ P \ crST}. 

• If there is a finite path vr in ^ such thsLt first {t:) = s, last{'K) = s' and trace{TT) = a, we write 
s =^ s'; if there exists an s' G 5 such that s =^ s', we write s and s =^ if this is not the case. 

• For a finite trace a and state s € 5", we denote by reach{s,a) the set of states in A (possibly 
empty) that can be reached from s via a, i.e., reach{s,a) = {s' ^ S \ s =^ s'}. Similarly, for a 
given finite trace a and a set of states S' C S, we denote by reach{S' ,a) the set of states in A that 
can be reached from any of the states in S' via a, i.e., reach{S\cj) = { s G 5 | 3 s' G S" . s' =^ s }. 

• For a finite trace a and state s ^ S, out{s,a) is the set of output actions that are enabled in any of 
the states reachable from s by a, i.e., out{s,a) = {a G -L° | 3s' G reach{s,(j) . s' =^}. We use 
the shorthand out{s) for the case out{s, e), i.e., the set of output actions that are enabled in s itself. 

• For every s G S* we denote by traces (s) the set of all traces of A that correspond to paths that 
start in s, i.e., traces{s) = {trace{'K) \ vr G paths{A) A first{-K) = s}. We denote by traces{A) = 
Use5° traces{s) the set of all traces that correspond to initial paths in A. Two lOTSs B and C are 
trace equivalent if traces[B) = traces[C). 

A fundamental concept in automata theory is determinism. 

Definition 2.7 (Determinism). An lOTS A= {S, ,L},LP is deterministic if for all s,s',s" ^ S,a^ 
L we have that s s' and s -2> s" imply a 7^ r and s' = s". Otherwise, A is nondeterministic. 

Example 2.8. Figure [3] shows some deterministic and nondeterministic lOTSs. □ 
Lastly, we introduce the notions of convergence and divergence. 

Definition 2.9 (Divergence). Given an lOTS A = {S,S^,L^,L°,^), a state s G S of ^ is divergent if 
there is an infinite path soaiSia2S2 ■ ■ ■ with sq = s and Si G S, that contains only r transitions, i.e., ai = T 
for all i. An lOTS is called divergent if it contains at least one such state, otherwise it is convergent. 

For the purposes of this paper, we require all lOTSs to be convergent. 

Example 2.10. Figure [3jd) shows the divergent lOTS V. Clearly, it is possible for V to perform an 
infinite sequence of r-transitions by continuously looping through the innermost four states. □ 
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Figure 4: The lOTSs A and i3, and their parallel composition || ;B. Note that we have left out some of 
the 6?-labelled self-loops from the visualisation of ^ || S to reduce clutter. 

2.3 Operations on lOTSs 

In this section, we introduce several standard operations on lOTSs. First, every nondeterministic lOTS 
can be transformed into a deterministic lOTS [9] ; the latter is called the determinisation of the original 
lOTS and is trace equivalent to it ||2l. Using this operator, modelling effort is saved since no attention 
needs to be paid to making the specification deterministic. 

Definition 2.11 (Determinisation). The determinisation of an lOTS A = {S,S^,L^,L^,^j[) is the 
lOTS det{A) = {T,{S^},L\L°,^i) such that T = p{S) \^ and = {{U,a,V) e T x L xT \V = 
reachj!,{U,a) A 1^/0}. 

Example 2. 12. Consider the nondeterministic lOTS B shown in Figure|2jb). Its corresponding determin- 
isation det{B) is shown in Figure [2]^c). □ 
Second, we define the parallel composition operator. This operator is fundamental in modelhng 
frameworks for component-based design. It allows one to build complex system models from smaller 
ones, thus breaking up the specification of a system into manageable pieces. Parallel composed lOTSs 
synchronise on shared inputs and complementary input-output pairs H. 

Definition 2.13 (Parallel composition of lOTSs). Given are two lOTSs A = {Sj,,S\,L\,L^,^j,) 

and B = (5g,5g,Lg,Lg,— such that L° n Lg = 0. The parallel composition of A and B is the 
lOTS A\\B = {Sa\\b^S\^\b-'^\\b^^%\b^^Mb)' where Sj^\\q = x Sb, = S\x S% Lj^yg = 
{L^j^ U Lg) \ (L° U Lg), and ^^ng = U Lg. The transition relation -^a\\b defined as follows: 



M||B 



= {{{s,t),al,{s',t'))\s^^s' M^^t'] 
U {((s,t),a!,(s',t')) \s^j^s M^j^t'} 
U {((s,t),a!,(s',t')) \s^j^s' A i^gt'} 
U {((s,t),a,(s',t)) I s s M^Sb ^ae LWLb] 
U {{{s,t),a,{s,t')) \ t^j^t' ^ s^Sa ^ a<^Ll\LA] 

Thus, L_4||e = Lj^ii^ U L° |g = U Lg. 

Example 2.14. Figure [4] shows two lOTSs A and B, and their parallel composition ^ || We have 
L\ = {a,6,c}, L° = { d}, L \ = {h,d}, and = {a,c,e}. Note that indeed L° n Lg = 0, as required; 
therefore, by Definition 2.13 L^^yg = {6} and L^yg = {a, c,(i,e}. □ 
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(a) A 



(b) hide{A,{a,b}) 



Figure 5: The lOTSs A and hide{A, { a,b}). 



Finally, it is often useful to hide certain actions of a given lOTS, thereby essentially renaming the 
corresponding labels to r. For example, when parallel composing two lOTSs, some actions are only used 
for synchronisation; after composition, they are not needed anymore. 

Definition 2.15 (Action hiding in lOTSs). Let ^ = ( S, 5", L\ ) be an lOTS and H C L° a set 

of output labels, then one can hide in ^ to get the lOTS hide{A, H) = ( S, 5", L},LP \ H, — )-h ), where 

-^h = { is,a,s') £^a\ H}LI{ {s,t,s') £ S x {t} x S \ 3a£H . {s,a,s') G^a}- 

Thus, we only allow output actions to be hidden. Furthermore, we do not allow action hiding to lead 
to divergent lOTSs, i.e., the hiding of outputs may not lead to the creation of r-loops. 
Example 2.16. Figure [s] shows the lOTSs ^ with = {a,5,c} and B = hide{A,{a,b}). □ 

From now on, we typically won't show all input-labelled self-loops in visualisations of lOTSs, to 
reduce clutter. Thus, we assume that every lOTS is input-enabled (unless mentioned otherwise). 

2.4 Properties of lOTSs 

lOTSs possess several interesting properties, that will also be of use when working with QTSs later 
on. We provide three results, showing that (1) hiding of actions corresponds to projection of traces, 
(2) parallel composition does not introduce new traces when projecting on the alphabet of either one of 
the components, and (3) parallel composition of components that synchronise on all actions yields the 
intersection of the traces of the components. 

Proposition 2.17. Given an lOTS A and a set of labels H C L^, we have traces {hide {A, H)) = 
traces{A) \ (L^\i?). 

Proposition 2.18. Given two lOTSs A and B, we have traces{A \\ B) \ L_a C traces{A) and 
traces{A \\ B) \ CI traces{B). 

Proposition 2.19. Given two lOTSs A, B with L_4 = Lg, we have traces{A \\B) = traces{A) H traces{B). 

3 Quiescent Transition Systems 
3.1 Basic notions and requirements 

lOTSs can be used to model the inputs and outputs of a system, but cannot explicitly express the obser- 
vation of the absence of outputs, also called the observation of quiescence |[T4lim r7ll. To fill this void, 
we introduce Quiescent Transition Systems. These automata can be used to model all possible observa- 
tions for a particular system, including quiescence, and can thus be thought of as 'observation automata' . 



80 



Talking quiescence: a rigorous ttieory that supports parallel composition and determinisation 



a? 



I 

4 



ay ^ 

4 i 



• — 



d! d! 



6! js! 



o o o o o 

S 5 S S S 



(a) A (b) S (c) C (d) D 

Figure 6: The QTSs ^, C and T> that do not satisfy rule Rl, rule R2, rule R3 and rule R4, respectively. 



They are based on Tretmans' suspension automata fTTl, in the sense that a (5-transition represents the 
observation of quiescence. A basic variant of QTSs was already used in ifTOll in a testing framework. 
However, restrictions for QTSs to prohibit counterintuitive behaviour, as well as characteristics and clo- 
sure properties of such models, have never been studied before. 

Definition 3.1 (Quiescence). Let A= ( 5, 5"°, L\ L*-", — )■ ) be an lOTS. A state s G 5" is called quiescent 
if $a ^ L'^ U {t} . s i.e., no outputs or internal transitions can be executed in state s. 

A system in a quiescent state will be idle until a new input is supplied. Note that a state s that can 
still perform a r-step is not considered quiescent, even if there is no output a! G such that s 
After all, since quiescence signifies that a system is idle indefinitely, it would not make sense if there are 
still internal steps possible. Moreover, from a more technical point of view, this ensures that QTSs are 
closed under hiding and that hiding and deltafication (see Section|4]) are commutative. 

Definition 3.2 (Quiescent Transition Systems). A Quiescent Transition System (QTS) is an lOTS 
A= {S,S'-\L^,L'^ U {6},^), where 5 ^ U L° is a special output label that is used to denote the 
observation of quiescence. We define L = U L°, = U L° U { (5, r } and let C S" x x S" be 
the transition relation. Like regular lOTSs, QTSs must be input-enabled, i.e., s A- for all s € 5,0 G L^. 
Furthermore, we also require the following rules to hold for all states s, s' , s" G S: 

Rule Rl (Quiescence should be observable): if s is quiescent, then s 

This rule requires that each quiescent state has an outgoing 5-transition. Consider the QTS A in 
Figure [6]^a). This QTS does not satisfy this rule, as the topmost state cannot produce any outputs, 
but neither can execute an outgoing 5-transition. 

Rule R2 (No outputs after quiescence): if s s', then s' is quiescent. 

This rule ensures that the system is idle after a 5-transition, i.e., it cannot provide an output (except 
for 5 itself) or execute an internal transition, before another input is provided. In Figure ^b) the 
QTS B is shown which does not satisfy this rule. From the top-most state it is possible to first 
observe quiescence (the 5-transition) and after that the a! output, without an intermediate input. 
Since there is no particular observation duration associated with quiescence, but quiescence rather 
means that the system idles indefinitely, this is clearly counterintuitive and therefore disallowed. 

Rule R3 (Quiescence does not enable new behaviour): if s s', then traces{s') C traces{s). 

Given a state s' of a QTS that is reached from another state s by a 5-transition (i.e., observation 
of quiescence), this rule demands that any trace that can be executed starting from state s' can 
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also be executed in state s, i.e., the observation of quiescence may not introduce any new possible 
observations. This rule was added to prevent situations like the one depicted in Figure [6jc). For 
QTS C it is possible to observe the output c! (after the input a?) after first observing quiescence, 
but if quiescence is not observed (because, for instance, the input a? was directly given) the output 
6! will be observed after the input a? instead. Thus, the prior observation of quiescence allows 
new behaviour to be observed later on, which is counterintuitive. This rule therefore ensures that 
all behaviour that can be observed after observing quiescence can also be observed before. 

Rule R4 (Continued quiescence preserves behaviour): if s A s' and s' s", then traces{s') = traces{s"). 
A QTS V that violates this rule is shown in Figure ^A). From the initial state an observation 
of quiescence can be made, which then leads to a new state where the trace ac can no longer be 
observed. From the latter state another observation of quiescence can be made, which leads to 
another state where the trace ad can no longer be observed. Rule R3 allows this, but as there 
is no particular time interval associated with the observation of quiescence, this does not make 
sense. We therefore have the additional requirement that any observations possible after two (or 
more) consecutive observations of quiescence should also be possible after a single observation of 
quiescence, and vice versa. 

Just as for lOTSs, we require QTSs to be convergent. The reason for this is that divergent systems 
have states that can execute internal transitions infinitely often and never output anything. Considering 
such a state quiescent would be nonintuitive, as it is not idle (and might even be able to provide an output 
action, even though it does not show it). Not considering it quiescent would also be nonintuitive, because 
of the possibility that no visible behaviour is observed. 

Note that the converse of rule Rl is not required, e.g., we do not forbid that a state has both a 5- 
transition and an output action enabled. This situation can arise during the determinisation of a QTS, as 
we will see in Section|4] However, the (5-transition should still end up in a quiescent state, as required by 
rule R2. Also note that a trace of a QTS can contain a sequence of 5-actions. Although this might seem 
odd, it corresponds to the practical testing scenario of observing a time-out rather than an output more 
than once in a row. 

Since computing trace inclusion is expensive [1], an easier way to ensure that a QTS complies to rule 
R3 is to make sure the following alternative rule R3' holds for all states s,s' ,s" G S. 

Rule R3': if s 4 s' and 3 a? G Lj such that s' ^ s" then also s ^ s" . 

Clearly, any QTS that satisfies rule R3' also satisfies rule R3. 

Similarly, conformance to rule R4 for a QTS can be achieved by making sure that the following 
alternative rule R4' holds for all states s, s' € of the QTS. 

Rule R4': if s 4 s' then s' 4 s', and if also s' 4 s" then s" = s'. 

Clearly, any QTS that satisfies rule R4' also satisfies rule R4. 

When comparing the structure of two QTSs A and B, the notion of isomorphisms can be useful. 

Definition 3.3 (Isomorphic QTSs). Two QTSs A = {Sa,S'^,L\,L^ U {6},^ a) and 
B = ('S'B,'S'g,Lg,Lg U {(5},— s-g) are called isomorphic, denoted A = B,if there exists a bijection 
h : 5^ — )• 5b (called an isomorphism) such that the following holds: 

1. for all So € S*^ there exists a to £ •S'g such that h{so) = to, and vice versa; 

2. s s' if and only if h{s) -^g h{s'), for all s,s' G 5^ and a G U {(5,r}. 
Thus, two isomorphic QTSs are structurally equivalent. 



82 



Talking quiescence: a rigorous ttieory that supports parallel composition and determinisation 



• • • 

(b) B (c) ^ II B 

Figure 7: The QTSs A, B and ^ || B. 

3.2 Operations on QTSs 

Since QTSs are a specialisation of lOTSs, all operations that are applicable to lOTSs (such as deter- 
minisation, parallel composition and hiding of actions) are also applicable to QTSs. Determinisation for 
QTSs is exactly the same as for lOTSs, but there are some minor differences for parallel composition 
and action hiding. 

Definition 3.4 (Parallel composition of QTSs). Let A = {Sa,S\,L\,L^ U {5},-^^) and 
B = (5B,S'g,Lg,Lg U {(5},— ^b) be two QTSs such that L° n Lg = 0. The parallel composition of 
A and B is then the QTS A\\B = {Sa\\b,S\j^,L\^\j^,L^^^^j^ U where = S"^ x Sb, 

^A\\B = ^A^ = (.^A U L^b) \ i^A ^ ^b)' ^nd = i° U Lg. ^a\\b is defined as follows: 

^^j|B = {{{s,t),al,is',t'))\s^^s' At^^t'} 

U {{{s,t),a\,{s',t')) \s^_^s' At^i^t'} 

U {{{s,t),a\,{s',t')) \s^^s' At^^t'} 

U {{{s,t),6,is',t'))\{s,d,s') ^it,6,t')e^B} 

U {{{s,t),a,{s',t)) \ s^_^s' At€SB A a^LWlB} 

U {{{s,t),a,{s,t')) \t^^t' A sGSa /\ aeLl\LA] 




Thus, when compared to the parallel composition of regular lOTSs, we have the additional require- 
ment that parallel composed QTSs must synchronise on the 5-action, as the observation of quiescence 
can be made simultaneously for multiple QTSs. Again, we find that La\\b = L'^aWB ^ -^°||B ~ ^ 
Example 3.5. See Figure[7Ja) for the visual representation of a QTS A which satifies all the requirements 
for QTSs listed in Definition |3.2[ Figure |7jb) shows another QTS B and Figure |7jc) shows the parallel 
composition of the QTSs A and B. □ 

Definition 3.6 (Action hiding in QTSs). Let ^ = ( 5, S"', L\ L° U { .5 } , ) be a QTS and H C L° a set 
of labels, then one can hide H in A to obtain the lOTS hide{A,H) = ( S", 5°,L\ (L° \ if) U {5},^h), 
where -^h = { (s,a,s') G— a ^ H} U {{s,t,s') € S x {t} x S \ 3a€ H . {s,a,s') G— 

We do not allow the special output label 6 to be hidden, as this label doesn't represent a specific 
output but rather (the observation of) a lack of outputs. Furthermore, as for lOTSs, we do not allow 
action hiding to lead to divergent QTSs, i.e., hiding may not lead to the creation of r-loops. 
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3.3 Properties of QTSs 

In this section, we present several interesting properties of QTSs. First of all, it turns out that our model 
is closed under all operations defined thus far: determinisation, action hiding and parallel composition. 
Therefore, these operations are indeed well-defined for QTSs. 

Theorem 3.7. QTSs are closed under determinisation, action hiding and parallel composition. Hence, 
given two QTSs A, B and a set of labels H C also det{A), hide{A, H) and A\\B are QTSs. 

We also provide two results concerning the traces of parallel compositions of QTSs, generalising the 
corresponding properties of lOTSs as given in Section [2!4| First, parallel composition does not introduce 
new traces when projecting on the alphabet of either one of the components. That is, when disregarding 
the actions of component B in the traces of ^ || the resulting set of traces is a subset of the traces of A. 
It then quite easily follows that, when two parallel QTSs have the same alphabet (and hence synchronise 
on all actions), we obtain a subset of the intersection of their individual traces. 

Proposition 3.8. Given two QTSs A and B, we have traces{A \\ B) \ (L_4 U {(5}) C traces{A) and 
traces{A \\ B) f (Lg U {5}) C traces{B). 

Proposition 3.9. Given two QTSs A B with L_4 = Lg, we have traces{A \\ B) = traces{A) D traces{B). 



4 From lOTS to QTS: deltafication 

Usually, the specification and implementation of a system (under development) are given as lOTSs, 
rather than QTSs. During testing, however, we typically observe the outputs of the system generated in 
response to inputs from the environment; thus, it is useful to be able to refer to the absence of outputs 
(i.e., quiescence) explicitly. Hence, we need a way to convert an lOTS to a QTS that captures all possible 
observations of it, including quiescence; this conversion is called deltafication and is described in lITTl 
[l2l[T3l. First, however, we need to introduce an additional condition CI for lOTSs, for every s,s' G S: 
Condition CI: if s s', then for all a G traces {s'): 

3t' G reach{s' ,a) . t' is quiescent A t' =^ Vt G reach{s,a) . t is quiescent A t 

Condition CI requires that if any trace a G traces{s'), when executed from s', can lead to a state 
that is quiescent and cannot execute a (5-transition, then it must always lead to a state that is quiescent 
and cannot execute a (5-transition when executed from s. This condition is weaker than Rl, and allows 
us to determine the deltafication of systems that already contain some (5-transitions without requiring a 
5-transition from every quiescent state. Note that any lOTS without 5-transitions vacuously satisfies C 1 . 
Definition 4.1 (Deltafication). Given an lOTS A = {S,S° ,L\L^ that for all s,s' e S satisfies 



deltafication condition CI, and rules R2, R3 and R4 (see Definition 3.2 1, we define the deltafication 
of ^ as the QTS 6{A) = {S,S^,L\L^ U {d},^s) ^here = U {{s,6,s) e S x {6} x S \ 
s is quiescent A s ^ }. 

Example 4.2. An lOTS A and its deltafication 5{A) are shown in Figurejsja) andjsjb), respectively. □ 
Remark 4.3. To see why condition CI is necessary, consider the lOTS B and its deltafication 5{B) shown 
in Figure [8jc) and Figure [8jd), respectively; the states have been labelled for convenience. B does not 
satisfy condition CI, since sq si, S4 G reach{si,a) and S4 is quiescent and S4 but S3 G reach{so,a) 
and S3 is not quiescent. As a consequence, the deltafication 6{B) is not a valid QTS: for 6{B) we have 
a6bc G traces{s\), but aShc ^ traces{sQ), thereby violating rule R3. 

A more liberal version of CI, where the second quantification is changed to an existential one, would 
not be strong enough to prevent this: it would not forbid this example, as S2 G reach{so,a) is quiescent 
and cannot do a 5-transition. 
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Figure 8: Deltafications of the lOTSs A and B. 
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4.1 Validity of deltafication 

Now, we present several interesting properties regarding the deltafication of lOTSs and QTSs. First, we 
show that deltafication indeed yields a valid QTS, and that it is idempotent. 

Lemma 4.4. Given an lOTS A that satisfies condition CI and rules R2, R3 andR4, 5 {A) is a QTS. 

Proposition 4.5. Deltafication is idempotent, i.e., given an lOTS A that satisfies condition CI and rules 
R2, R3 andR4, we have S{5{A)) = 6{A). 

Any lOTS A with 6 ^ Lj^ vacuously satisfies condition CI and rules R2, R3 and R4. Therefore, the 
following theorem follows directly from Lemma [4!4l 

Theorem 4.6. Given an lOTS A such that 5 ^ L^, 6 (A) is a QTS. 



By Definition 3.2 QTSs are lOTSs that satisfy rules Rl, R2, R3 and R4. Since every state s in a 
QTS enables at least one output action or 6 (due to rule Rl), it never occurs that s is quiescent and does 
not enable a (5-transition, and hence every QTS satisfies condition C 1 vacuously. 



By Lemma 4.4 this immediately implies the following theorem. 
Tlieorem 4.7. QTSs are closed under deltafication, i.e., given a QTS A ^(-4) is also a QTS. 



4.2 Commutativity results 

In this section we investigate the commutativity of deltafication with determinisation, action hiding and 
parallel composition. We will show that parallel composition can safely be swapped with deltafication, 
but that determinisation has to precede deltafication to get sensible results. Also, we show that action 
hiding does not commute with deltafication. 

Proposition 4.8. Deltafication and determinisation do not commute, i.e., given an lOTS A that satisfies 
condition CI and rules R2, R3 and R4, it is not necessarily the case that det{6{A)) = 5{det{A)). 

Proof. Observe the lOTS A, its determinisation det{A) and deltafication 6{A) in Figure|9ja,b,c). Clearly, 
the deltafication of the determinisation of A (i.e., 5{det{A))), shown in Figure|9jd), results in an incorrect 
observation automaton, as it does not model the fact that in the nondeterministic QTS &{A) quiescence 
may be observed after an initial a? input, as required by rule Rl. 

Contrary to the deltafication of the determinisation of A, the determinisation of the deltafication of A 
(i.e., det{5{A))), which is shown in Figure|9]^e), does preserve the fact that quiescence may be observed 
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i i''- v'V 6 6 6 6 6 6^6 

• • • • (5 (5 5 5 (5 (5 (5 

(a) A (b) i/er(^) (c) (d) &{det[A)) (e) rfe?((5(yi)) 

Figure 9: The determinisation and deltafication of lOTS A do not commute. 

after an initial a? input. This shouldn't come as a surprise, since for any lOTS A the determinisation 
deti^A) is trace equivalent to the original automaton, as was observed earlier. □ 

Thus, when transforming a nondeterministic lOTS ^ to a deterministic QTS, one should take care to 
first derive b{^A) and afterwards determinise to obtain det(b{^A)). 

The following results show that deltafication does commute with both action hiding and parallel com- 
position. For action hiding this is trivial. After all, hiding only renames output actions to r and deltafica- 
tion only adds (5-loops to states that have no outgoing output transitions, no outgoing r-transitions and no 
outgoing (5-transition. Hence, they work on disjoint sets of states; commutativity is therefore immediate. 

Theorem 4.9. Deltafication and action hiding commute, i.e., given an lOTS A that satisfies condition 
CI and rules R2, R3 and R4, and a set of labels H C L^, we have 6{hide{A, H)) = hide{6{A),H). 

Theorem 4.10. Deltafication and parallel composition commute, i.e., given two lOTSs A and B with 
^ ~ ^ ^^'^^ satisfy condition CI and rules R2, R3 and R4, we have 5{A || B) = S{A) \\ 6{B). 

These results are vital, as they allow great modelling flexibility. After all, hiding and parallel com- 
position are often already applied to the lOTSs that describe a specification and its implementation. We 
now showed that this yields the same QTSs as in case these operations are applied after deltafication. 



5 Application to testing 

Our main motivation for introducing and studying the QTS model was to enable a clean theoretical 
framework for model-based testing. In this section, we illustrate how the model can be incorporated in 
the ioco (input-output conformance) testing theory 1.13,1 . 

5.1 A conformance relation based on QTSs 

To interpret the results of testing, we need to know which implementations are considered correct. For 
this, we use a conformance relation, such as ioco, that relates specifications to implementations if and 
only if the latter is 'correct' with respect to the former. For ioco, this is the case if the implementation 
never provides an unexpected output when it is only fed inputs that are allowed according to the specifi- 
cation. In this setting, an unexpected absence of outputs of the implementation is also considered to be 
unexpected output. This can be formalised very nicely using QTSs, as they already model the expected 
absence of outputs by explicit (^-transitions. 
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(a) ^spec (b) ^impli (c) .4impl2 (d) ^implg (e) -Aimpl^ 

Figure 10: A specification witii two correct and two erroneous implementations. 

Definition 5.1. Let vAimpi , ^spec be QTSs over the same alphabet L^\JL^\J{5}. Then 

Ampi Eioco -4spec if and only if Ma £ ?races(Apec) • o"Utopi(o") ^ o"Uspec(f^); 

where outji^{a) = {a\ G L° U {5} | era! e traces{A)}. 

Since we require all QTSs to be input-enabled, it is easy to see that ioco-conformance precisely 
corresponds to traditional trace inclusion over QTSs. 



Example 5.2. Consider the specification .Agpec given in Figure 10 It allows the initial state to either be 
quiescent, output an a! or output a 6!. We present four implementations. The first two implementations 
are ioco-correct with respect to ^spec^ although they omit some of the traces of the specification, they 
never provide an unexpected output after a trace that is in the specification. The third implementation is 
erroneous since it can provide a d\ output from the initial state, while the specification does not allow 
this. The fourth implementation is erroneous since it is unexpectedly quiescent after the trace c?. □ 

Note that QTSs allowed us in this example to explicitly model the fact that both quiescence and some 
output actions are considered correct behaviour of a system. Also, note that the unexpected quiescence 
of the fourth implementation is clearly marked by a (5-transition in the QTS. 



5.2 Testing using QTSs 

Using the notion of ioco-correspondence, it is quite easy to derive test cases for QTSs. Basically, at 
each point in time we choose to either try to provide an input, observe the behaviour of the system 
or stop testing. As long as the trace we obtain in this way (including the (5-actions) is also a trace of 
the specification, the implementation is correct. Due to the explicit presence of quiescence in the QTS 
model of the specification, it is easy to see that this straightforward way of testing precisely corresponds 
to checking ioco-conformance. 



6 Conclusions and Future Work 

We introduced the notion of quiescent transition systems (QTSs), explicitly modelling the absence of 
outputs as a first-class citizen. We provided four restrictions for QTSs, to eliminate counterintuitive be- 
haviours. Also, we defined the common automaton operations — parallel composition, determinisation 
and action hiding — directly on QTSs, and showed that all of our restrictions are indeed preserved by 
the operations. We presented a way to obtain a QTS from a traditional input-output transition system 
(lOTS), even allowing the situation in which the JOTS already partially models quiescence. Finally, 
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we illustrated how our novel theory of QTSs can be used to greatly simplify the theory of model-based 
testing, defining the conformance relation ioco in terms of QTSs. 

So far, we only allowed input-enabled and convergent QTSs; i.e., systems that cannot perform an 
endless series of unobservable transitions. Future work will focus on extending our framework to diver- 
gent systems that are not necessarily input-enabled. Also, we plan on linking QTSs to timed automata, to 
expUcitly represent (^-transitions as finite timeouts, bridging the gap between formal and practical testing. 

Acknowledgements This research has been partially funded by NWO under grants 612.063.817 
(SYRUP) and Dn 63-257 (ROCKS). 



References 

[1] F. Aarts & F. W. Vaandrager (2010): Learning I/O Automata. In: Proc. of the 21th Int. Conf. on Concurrency 
Theory (CONCUR), LNCS 6269, Springer, pp. 71-85, doi jl0.1007/978 -3-64 2-15375T3 



[2] C. Baier & J.-P. Katoen (2008): Principles of Model Checking. The MIT Press. 

[3] H. C. Bohnenkamp & M. I. A. Stoelinga (2008): Quantitative testing. In: Proc. of the 8th ACM & IEEE Int. 
Conf on Embedded software (EMSOFT), ACM, pp. 227-236, doi: 10.1145/1450058.1450089 

[4] R. De Nicola & R. Segala (1995): A process algebraic view of input/output automata. Theoretical Computer 



Science 138, pp. 391^23, doij 10. 1016/0304-3975(95)92307-1 



[5] N. A. Lynch & M. R. Tuttle (1987): Hierarchical Correctness Proofs for Distributed Algorithms. In: 
Proc. of the 6th Annual ACM Symp. on Principles of Distributed Computing (PODC), pp. 137-151, 
doi fToT 145/41840.418521 

[6] R. Segala (1993): Quiescence, Fairness, Testing, and the Notion of Implementation. In: Proc. of 4th Int. Conf. 
on Concurrency Theory (CONCUR), LNCS 715, Springer, pp. 324-338, doi: 10.1007/3-540-57208-2_23 

[7] R. Segala (1997): Quiescence, Fairness, Testing, and the Notion of Implementation. Information and Com- 
putation 138(2), pp. 194-210, doi:10.1006/inco.l997.2652 

[8] W. G. J. Stokkink, M. Timmer & M. I. A. Stoelinga (2012): Talking quiescence: a rigorous theory that 
supports parallel composition, action hiding and determinisation (extended version). Technical Report TR- 
CTIT-12-05, CTIT, University of Twente. 

[9] T. A. Sudkamp (2006): Languages and machines. Pearson Addison Wesley. 

[10] M. Timmer, H. Brinksma & M. I. A. Stoelinga (2011): Model-Based Testing. In: Software and Systems 
Safety: Specification and Verification, NATO Science for Peace and Security Series D: Information and 
Communication Security 30, lOS Press, Amsterdam, pp. 1-32, doi: 10.3233/978-1-60750-711-6-1 

[11] G. J. Tretmans (1996): Test Generation with Inputs, Outputs, and Quiescence. In: Proceedings of the 2nd 
Int. Workshop on Tools and Algorithms for Construction and Analysis of Systems (TACAS), LNCS 1055, 
Springer, pp. 127-146, doi: 10.1007/3-540-61042-l_42 

[12] G. J. Tretmans (1996): Test Generation with Inputs, Outputs and Repetitive Quiescence. Software - Concepts 
and Tools 17(3), pp. 103-120. 

[13] G. J. Tretmans (2008): Model Based Testing with Labelled Transition Systems. In: Formal Methods and 
Testing, LNCS 4949, Springer, pp. 1-38, doi: 10. 1007/97 8-3-540- 78917-8_l 

[14] F. W. Vaandrager (1991): On the Relationship Between Process Algebra and Input/Output Automata (Ex- 
tended Abstract). In: Proc. of 6th Annual Symposium on Logic in Computer Science (LICS), IEEE, pp. 
387-398, doi: 1 0. 1 1 09/LICS . 1 99 1 . 1 5 1 662 

[15] H. M. van der Bijl, A. Rensink & G. J. Tretmans (2004): Compositional Testing with ioco. In: Formal Ap- 



proaches to Software Testing (FATES), LNCS 2931, Springer Verlag, Berlin, pp. 86-100, doi jlO.1007/978^ 
[?340-24617-6_7| 



